The majority of board members in asset management and banking firms are not clear on the specific cyber risks they face, the Financial Conduct Authority (FCA) has revealed.
After conducting a multi-firm review, the regulator found that company bosses are instead likely to delegate responsibility for cyber security to their IT departments.
This could limit the extent to which IT strategies are independently challenged, according to the FCA, which said cyber security should be the responsibility of a "business as a whole".
On specific cyber threats, the review found, for example, that some boards had not considered the risk that their firms could be used as a conduit to damage other businesses.
"All the firms acknowledged the importance of strong cyber security, but there were different degrees of understanding of the many potential ways that weak cyber security could affect business activities and lead to harm to clients and the wider markets," the FCA said.
The findings show that awareness is lower in firms that do not have a cyber-specific strategy, and when cyber is not part of the broader risk management framework.
This is also likely to be the case at companies with incident response plans that take little account of non-technical consequences, such as the impact on reputation, clients and markets.
The review involved a study of 20 firms with varying size, structure and business models, with the asset managers' assets ranging from below £15bn to over £500bn.
Firms in the sample "generally lacked board members with strong familiarity or specific technical cyber-expertise", and many said this was due to their size or low risk-profile.
Ryan Dodd, CEO of cyber risk, assessment and audit firm, Cyberhedge, said investors should be "outraged" that asset managers are unclear on the risks they face.
"Asset Managers would never get away with side-lining risk related to financial fraud, so why are they allowed to do so for cyber-related risk," he continued.
"The FCA, as the regulator, must demand that asset managers are as rigorous in their understanding and assessment of cyber risk as they are to other regulated areas.
"This is a governance issue and should be managed appropriately, with board-level accountability."
